This article explains how to configure a Cisco Firepower 2100 series device to operate in Appliance mode. We’ll show you how to switch from Platform mode to Appliance mode and how the device will automatically convert and retain your ASA configuration.

Before performing the conversion, its important to obtain a full backup of the Firepower system and therefore also cover how to backup your Cisco Firepower appliance configuration, certificates, VPN configuration (including pre-shared keys), VPN profiles and more, using the  Cisco Adaptive Security Device Manager (ASDM). 

Key Topics:

• Cisco Firepower Platform and Appliance Mode
• How to Backup Cisco ASA using ASDM
• Converting Firepower from Platform to Appliance Mode
• Summary

More in-depth technical articles can be found in our Cisco Firewall section.

Cisco Firepower Platform and Appliance Mode

The Cisco Firepower 2100 series operates on an underlying system called FXOS. You can run the Firepower 2100 for ASA in two modes:

• Platform Mode: In this mode, you need to configure basic operating parameters and hardware interface settings within FXOS. This includes tasks like enabling interfaces, setting up EtherChannels, managing NTP, and handling image management. You can use either the chassis manager web interface or the FXOS CLI for these configurations. Afterward, you can set up your security policy in the ASA operating system using ASDM or the ASA CLI.

• Appliance Mode (Default): This mode allows you to configure all settings directly in the ASA. Only advanced troubleshooting commands are available through the FXOS CLI in this mode. Appliance mode is similar to how the old ASA Firewalls (5500 series) ran when the FXOS didn’t exist.

The Management 1/1 interface is used to manage the Firepower device. The interface is configured with two IP addresses, one for the FXOS and one for the ASA. When changing to Appliance mode, the FXOS IP address is lost and will need to be reconfigured, however you can connect to the FXOS directly from the ASA software using the following command:

Cisco Firepower Threat Defense (FTD) is a unified software image, which is a combination of Cisco ASA and Cisco FirePOWER services features that can be deployed on Cisco Firepower 4100 and the Firepower 9300 Series appliances as well as on the ASA 5506-X,ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. However, at the time of writing, the Cisco Firepower Threat Defense (FTD) unified software cannot be deployed on Cisco ASA 5505 and 5585-X Series appliances. 

Understanding Cisco Firepower Threat Defense Management & Capabilities

Simplifying management and operation of Cisco’s Next Generation Firewalls is one of the primary reasons Cisco is moving to a unified image across its firewall appliances.

Currently the Firepower Threat Defense can be managed through the Firepower Device Management (similar to Cisco’s ASDM) and Firepower Management Center (analyzed below).

Managing Options for FirePOWER Services and Firepower Threat Defense (FTD)

It should be noted that the Firepower Device Management software is under extensive development and is not currently capable of supporting all configuration options. For this reason it’s best to rely on the Firepower Management Center to manage the Cisco Firepower Threat Defense system.

The Firepower Management Center, also known as FMC or FireSIGHT, is available as a dedicated server or virtual image appliance (Linux based VM server) that connects to the FirePOWER or Firepower Threat Defense and allows you to fully manage either system. Organizations with multiple Firepower Threat Defense systems or FirePOWER Services would register and manage them from the FMC.

Alternatively, users can manage the Firepower Threat Defense (FTD) device using the Firepower Device Manager (FDM) – the concept is similar to ASDM.

Currently the latestCisco Firepower Threat Defense (FTD) unified software image available is version 6.2.x .

The Cisco Firepower Threat Defense is continually expanding the Next-Generation Firewall Servicesit supports which currently includes:

• Stateful Firewall Capabilities
• Static and Dynamic Routing. Supports RIP, OSPF, BGP, Static Routing
• Next-Generation Intrusion Prevention Systems (NGIPS)
• URL Filtering
• Application Visibility and Control (AVC)
• Advance Malware Protection (AMP)
• Cisco Identity Service Engine (Cisco ISE) Integration
• SSL Decryption
• Captive Portal (Guest Web Portal)
• Multi-Domain Management
• Rate Limiting
• Tunnelled Traffic Policies
• Site-to-Site VPN. Only supports Site-to-Site VPN between FTD appliances and FTD to ASA
• Multicast Routing Shared NAT
• Limited Configuration Migration (ASA to Firepower TD)

While the Cisco Firepower Threat Defense is being actively developed and populated with some great features, we feel that it’s too early to place it in a production environment. There are some stability issues, at least with the FTD image on the ASA platform, which should be ironed out with the newer software releases.

If you are already in the process of installing FTD on your ASA then you should heavily test it before rolling it out to production.

Due to the issues encountered, we were forced to remove the FTD installation by reimaging our ASA 5555-X Appliance with Cisco ASA and FirePOWER Services images. We believe the “Cisco Firepower Threat Defense” unified software image is very promising but requires some more time to reach a more mature and stable version.

Problems/Limitations Encountered With Cisco Firepower Threat Defense

While small deployments might be able to overcome the absence of many desired features (e.g IPSec VPN support), enterprise environments will certainly find it more challenging.

Depending on the environment and installation requirements customers will stumble into different limitations or issues. For example, on our ASA 5555-X we had major delays trying to push new policies from the Firepower Management Centre (FMC) to the newly imaged FTD ASA. With a total of just 5 policies implemented it took over 2 minutes to deploy them from the FMC to the FTD.

We also found that we were unable to configure any EtherChannel interfaces. This is considered a major drawback especially for organizations with multiple DMZ zones and high-bandwidth traffic requirements. Cisco has an official announcement for this right here.

In addition to the above, when we completed the conversion of our ASA to the FTD software we needed to open a TAC Service Request in order to get transfer our ASA License to the FTD image, adding additional unnecessary overhead and confusion. We believe this should have been automatically done during the installation process.

Cisco ASA Firepower Threat Defense (FTD) Installation – Quick Overview

Reimaging the Cisco ASA 5555-X Appliance to install the Cisco Firepower Threat Defense image is fairly simple once you understand what needs to be done. Here are the steps in the order they must be executed:

• Download the Cisco Firepower Threat Defense Boot&System image
• Reboot ASA, Break The Startup/Boot Sequence
• Upload the Boot Image and boot the ASA Firewall
• Install Firepower Threat Defense system software

Download the Cisco Firepower Threat Defense Boot & System Image

Using a valid CCO account that has the necessary software download privileges visit: Downloads Home>Products Security>Firewalls>Next-Generation Firewalls (NGFW)>ASA 5500-X with FirePOWER Services and select Firepower Threat Defense Software:

Downloading Cisco ASA 55xx Firepower Threat Defense software

Alternatively click on the following URL: Firepower Threat Defense Software Download

Next, select and download the latest boot image and system version. In our example this isversion 6.2.0:

Downloading the latest Firepower Threat Defense System and Boot Image

Reboot ASA, Break The Startup/Boot Sequence

When ready reboot the ASA appliance. During the boot process hit Break or Esc to interrupt boot:

It is strongly recommended you have a complete backup of your ASA Configuration and software before proceeding with the next steps which will erase the configuration and all files

Rebooting... Cisco BIOS Version:9B2C109A
Build Date:05/15/2013 16:34:44
CPU Type: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz, 2793 MHz
Total Memory:16384 MB(DDR3 1333)
System memory:619 KB, Extended Memory:3573 MB
……. <output omitted>
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds.

Boot interrupted.
Management0/0
Link is DOWN
MAC Address: 00f6.63da.e807
Use ? for help.
rommon #1>

At this point we have successfully interrupted the boot process and can proceed to the next step. 

Upload the Boot Image and Boot the ASA Firewall

We now need to configure the necessary parameters on the ASA Firewall to download the Cisco Firepower Threat Defence Boot Image. Ensure you have an FTP/TFTP server installed and configured to allow the Firewall to download the image/system files.

Now connect to the ASA console port using a terminal access application, e.g. Putty, configured with the following serial port settings:

• 9600 baud
• 8 data bits
• No parity
• 1 stop bit
• No flow control

Ensure the Cisco ASA 5500-X appliance is running rommon version v1.1.8 or greater by using an IOS command show module to ensure re-immaging will be successful. If the rommon version is earlier than v1.1.8 then the ASA Appliance needs a rommon upgrade. 

ciscoasa# show module
.. output omitted…
Mod    MAC Address Range                Hw Version     Fw Version     Sw Version
---- --------------------------------- ------------ ------------ ---------------
1       7426.aceb.ccea to 7426.aceb.ccf2    0.3          1.1.8           9.6(1)
sfr     7426.aceb.cce9 to 7426.aceb.cce9    N/A         N/A

Next, configure the ASA Firewall with the necessary network settings/variables so it can access the image and system files previously downloaded. ASA 5555-X firewall uses a built-in management interface, hence no need to specify the management interface.

rommon #1> address 10.32.4.129
rommon #2> server 10.32.4.150
rommon #3> gateway 10.32.4.150
rommon #4> file ftd-boot-9.7.1.0.cdisk
rommon #5> set
ROMMON Variable Settings:
 ADDRESS=10.32.4.129
 SERVER=10.32.4.150
 GATEWAY=10.32.4.150
 PORT=Management0/0
 VLAN=untagged
 IMAGE=ftd-boot-9.7.1.0.cdisk
 CONFIG=
 LINKTIMEOUT=20
 PKTTIMEOUT=4
 RETRY=20

Explanation of commands:

The Sync command will save the NVRAM parameters, effectively “enabling” the configuration changes. It’s advisable to try and ping the TFTP server. This will not only confirm the TFTP server is reachable but also populate the ARP table of the ASA Firewall:

rommon #6> sync
Updating NVRAM Parameters...

rommon #7> ping 10.32.4.150
Sending 20, 100-byte ICMP Echoes to 10.32.4.150, timeout is 4 seconds:
?!!!!!!!!!!!!!!!!!!!
Success rate is 95 percent (19/20)

When ready, issue the tftpdnld command to initiate the download of the boot image to the ASA Firewall. Once downloaded the system will automatically boot the image file:

rommon #7> tftpdnld
ROMMON Variable Settings:
ADDRESS=10.32.4.129
SERVER=10.32.4.150
GATEWAY=10.32.4.150
PORT=Management0/0
VLAN=untagged
IMAGE=ftd-boot-9.7.1.0.cdisk
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

tftp ftd-boot-9.7.1.0.cdisk@10.32.4.150 via 10.32.4.150
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 107292672 bytes

Launching TFTP Image...

Execute image at 0x14000

Cisco Security Appliance admin loader (3.0) #0: Mon Jan 16 09:01:33 PST 2017
Platform ASA5555

Loading...
IO memory blocks requested from bigphys 32bit: 125055
INIT: version 2.88 booting

Starting udev
Configuring network interfaces... done.
Populating dev cache
Found device serial number FCH2023J78M.
Found USB flash drive /dev/sdc
Found hard drive(s): /dev/sda /dev/sdb
fsck from util-linux 2.23.2
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
65:01/00
Not automatically fixing this.
/dev/sdc1: 62 files, 825465/2011044 clusters
Launching boot CLI ...
Configuring network interface using DHCP
Bringing up network interface.
Depending on your network, this might take a couple of minutes when using DHCP...
ifup: interface lo already configured
Using IPv6 address: fe80::2f6:63ff:feda:e807
IPv4 address not assigned. Run 'setup' before installation.
INIT: SwitchingStarting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
generating ssh RSA key...
generating ssh ECDSA key...
generating ssh DSA key...
Could not load host key: /etc/ssh/ssh_host_ed25519_key
done.
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up
acpid: 1 rule loaded
acpid: waiting for events: event logging is off

Starting ntpd: done
Starting syslog-ng:[2017-03-16T04:08:41.437297] Connection failed; fd='15', server='AF_INET(127.128.254.1:514)', local='AF_INET(0.0.0.0:0)', error='Network is unreachable (101)'
[2017-03-16T04:08:41.437321] Initiating connection failed, reconnecting; time_reopen='60'
.
Starting crond: OK

      Cisco FTD Boot 6.0.0 (9.7.1.)
      Type ? for list of commands
FIREWALLCX-boot>

Optionally you can ping the tftp/ftp server to confirm there is still connectivity with the server:

FIREWALLCX-boot> ping 10.32.4.150
PING 10.32.4.150 (10.32.4.150) 56(84) bytes of data.
64 bytes from 10.32.4.150: icmp_seq=1 ttl=128 time=0.722 ms
64 bytes from 10.32.4.150: icmp_seq=2 ttl=128 time=0.648 ms
64 bytes from 10.32.4.150: icmp_seq=2 ttl=128 time=0.856 ms
--- 10.32.4.150 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2018ms
rtt min/avg/max/mdev = 0.648/0.742/0.856/0.086 ms

Install Firepower Threat Defense System Software 

At this point our Firewall has successfully downloaded and booted the Boot image and is ready to accept the System image. At the prompt type setup and simply follow the bouncing ball. The setup process will gather important configuration parameters for the FTD device such as Hostname, IP address, Subnet mask, Gateway, DNS servers and more

Many of the configuration questions involve a yes/no answer. The default value that will be selected when leaving the parameter blank and hitting enter is marked in square brackets [ ]:

FIREWALLCX-boot> setup

                      Welcome to Cisco FTD Setup
                      [hit Ctrl-C to abort]
                      Default values are inside []

Enter a hostname [FIREWALLCX]: FIREWALLCXFTD
Do you want to configure IPv4 address on management interface?(y/n) [Y]: y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [Y]: n
Enter an IPv4 address: 10.32.4.129
Enter the netmask: 255.255.255.0
Enter the gateway: 10.32.4.150
Do you want to configure static IPv6 address on management interface?(y/n) [N]: n
Stateless autoconfiguration will be enabled for IPv6 addresses
Enter the primary DNS server IP address: 10.32.4.150
Do you want to configure Secondary DNS Server? (y/n) [n]: n
Do you want to configure Local Domain Name? (y/n) [n]: y
Enter the local domain name: firewall.cx
Do you want to configure Search domains? (y/n) [n]: n
Do you want to enable the NTP service? [Y]: n
Please review the final configuration:

Hostname:                             FIREWALLCXFTD
Management Interface Configuration

IPv4 Configuration:                 static
           IP Address:                 10.32.4.129
           Netmask:                    255.255.255.0
           Gateway:                    10.32.4.150

IPv6 Configuration:                 Stateless autoconfiguration
DNS Configuration:
           Domain:                      firewall.cx
           DNS Server:                10.32.4.150

NTP configuration:                   Disable

CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Done.
Press ENTER to continue...

At this point the appliance’s initial configuration phase is complete and ready to begin downloading the FTD system image

To initiate the image download use the system install ftp://10.32.4.150/ftd-6.2.0-362.pkg and replace the IP address portion with your FTP server’s IP address.

During the installation, the process will ask for the necessary credentials to authenticate to the FTP server. Right before the point of no return the system will ask for a final confirmation before erasing the appliance’s disk and initiating the upgrade. When the system image installation is complete, the system will require the user to hit enter to reboot.

Unnecessary output e.g. dots (….) have been removed from the log to make it easier to read and understand.

FIREWALLCX-boot> system install ftp://10.32.4.150/ftd-6.2.0-362.pkg

######################## WARNING ############################
# The content of disk0: will be erased during installation! #
#############################################################

Do you want to continue? [y/N]: y
Erasing disk0 ...
Extracting ...
Verifying. …

Enter credentials to authenticate with ftp server
Username: firewallcx
Password: $etmeup!
Verifying. ... ...
Downloading. … ...
Extracting. … …

Package Detail
           Description:                  Cisco ASA-FTD 6.2.0-362 System Install
           Requires reboot:           Yes

Do you want to continue with upgrade? [y]: y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Starting upgrade process .... ….. ….
Populating new system image. ….. ….

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.

Broadcast message from root@FIREWALLCXFTD (ttyS0) (Thu Mar 16 05:46:03 2017):
The system is going down for reboot NOW!

The ASA FTD Appliance will now reboot. While this process is underway you will see a lot of information during shutdown and startup. When booting into the FTD system image for the first time it is normal to see a number of error/warning messages – do not be alarmed.

When the system has successfully booted it will require you to login using the default username (admin) & password (cisco123) then require you to press Enter to present Cisco’s EULA which must be accepted at the end by pressing again the enter key or typing YES:

Cisco ASA5555-X Threat Defense v6.2.0 (build 362)
firepower login: admin
Password: cisco123
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
END USER LICENSE AGREEMENT
IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY.
……………………………………..
Product warranty terms and other information applicable to Cisco products are
available at the following URL: http://www.cisco.com/go/warranty.

Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES

Finally the last step involves changing the default admin password and configuring again the system’s network settings.

While it might seem repetitive and pointless to configure the network settings three times during the FTD boot image and system image installation, this allows companies to perform these necessary preparation tasks in an isolated environment, e.g. lab room, to get the device ready for the final deployment that will be in the production environment.

Similar to the previous steps, pressing enter will accept the default value shown between the brackets [ ]:

System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: $etmeup!
Confirm new password: $etmeup!
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: [enter]
Enter an IPv4 netmask for the management interface [255.255.255.0]: [enter]
Enter the IPv4 default gateway for the management interface [data-interfaces]: [enter]
Enter a fully qualified hostname for this system [firepower]: firewall.cx
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: [enter]
Enter a comma-separated list of search domains or 'none' []:[enter]
If your networking information has changed, you will need to reconnect.

DHCP server is enabled with pool: 192.168.45.46-192.168.45.254. You may disable with configure network ipv4 dhcp-server-disable For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: yes
Configuring firewall mode to router Update policy deployment information - add device configuration Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.
>

The greater-than “>” symbol indicates the FTD setup is complete and running.

More information on the Cisco Firepower Threat Defense, including Installation and Upgrade Guides, can be found at the following Cisco URL:

https://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html

You can now log into the Cisco Firepower Device Manager by entering the ASA Firewall appliance IP address in your web browser:

Cisco Firepower Device Manager Login Screen

Once logged in, you can follow the step-by-step setup Device Setup Wizard that will take you the necessary steps to initially configure your new ASA FTD device:

Device Setup Page of Cisco FTD 

Experienced Firepower Threat Defense users can click on the Skip device setup link located on the lower area of the screen.

Summary

Cisco’s Firepower ThreatDefense(FTD) istheNext-Generation Firewall solution that will eventually replace the well-known ASA software. While FTD is still in its early years it is rapidly being adopted by organizations across the globe. It is important to understand the current limitations of FTD before moving it into a production environment. For example, important features such as site-to-site VPN are not currently supported, however, it does have a great clean and intuitive GUI interface!

For many, installing Cisco’s Firepower Threat Defense on an ASA Firewall appliance can be a confusing task. Our Cisco Firepower Threat Defense (FTD) installation guide has been designed to simplify the process by providing step-by-step instructions presented in an easy-to-understand format while also covering Cisco Firepower Threat Defense management options.

Through sophisticated software and hardware options (modules), the ASA’s 5500-X series Firewalls support a number of greatly advanced next-generation security features that sets them apart.These include:

• Cisco Intrusion Prevention System (IPS) services. A signature based IPS solution offered as a software or hardware module depending on the ASA 5500-X appliance model.
• Cisco ASA CX Context-aware services. A software module for ASA 5500-X appliances except the ASA 5585-X where it’s offered as a hardware module. Provides IPS services, Application Visibility and Control (AVC), web security and botnet filtering.
• Cisco FirePOWER Services. Cisco’s latest software & hardware threat protection, superseding previous technologies by combining IPS and CX services plus full contextual awareness of users, infrastructure, applications and content, URL filtering with advanced malware protection (AMP). Offered as a software module for 5500-X series appliances except the 5585-X, which requires a dedicated hardware module. Note that FirePOWER services run in parallel with the classical ASA software.
• Cisco Firepower Threat Defense (FTD). This is the next step after the FirePOWER services which was released by Cisco in 2015.  While FirePOWER services run alongside with the classical Cisco ASA software, the newer Firepower Threat Defence combines the Cisco ASA Software + FirePOWER services in one software package. This is also the concept of the newer Firepower appliances (e.g 4100 & 9000 series) which run Firepower Threat Defense software. At this point, Firepower Threat Defence is under continious development but does not still support many features offered by the classical ASA software. For example at the time of writing site-to-site IP Sec VPN is still not available.

Our previous article examined Cisco’s ASA 5500 series Firewall hardware modules, which include the Content Security CSC-SSM & Intrusion Prevention System (IPS) / Intrusion Detection System (IDS) AIP-SCC / AIP-SSM modules. While these solutions are no longer sold by Cisco, they have been widely deployed in data centers and corporate networks around the world and will be supported by Cisco until 2018.

Note: To download datasheets containing technical specifications and features offered by the Cisco 5500-X Series Firewalls with FirePOWER, IPS and CX Context-aware services, visit our Cisco ASA 5500 & 5500-X Series Adaptive Security Appliances Download Section.

Since Cisco’s announcement back in 2013 regarding the discontinuation of its ASA 5500 series firewall appliances in favour of the newer 5500-X Next Generation Firewalls, customers have been contemplating when to upgrade to the newer 5500-X series. Given the fact that Cisco is no longer providing major firmware upgrades to the older ASA 5500 series and the appearance of new advanced security threats and malware (e.g ransomware), it is now considered imperative to upgrade to the newer platform so that security is maintained at the highest possible level.

Customers seeking advanced protection are likely to consider expanding their ASA Firewall capabilities with the purchase of an IPS module, CX Context-aware or FirePOWER services.

Figure 1. The Cisco FirePOWER hardware module for the ASA-5585-X Firewall

Cisco’s FirePOWER advanced security threat protection solution was introduced late 2014 and its purpose is to replace the current ASA 5500-X IPS and ASA CX 5500-X Context-aware offerings.

The diagram below shows key security features provided by most Cisco ASA Firewall appliances. Features such as Clustering, High Availability, Network profiling, Identity-Policy Control, VPN and advanced access lists have until today been fairly standard offerings across the ASA Firewall series, however, the newer 5500-X can now offer the additional FirePOWER services marked in red below:

Figure 2. Cisco FirePOWER services (marked in red) provide advanced key security features to ASA Firewalls

Cisco’s FirePOWER solution has the ability not only to provide advanced zero-day IPS threat protection, but also to deliver exceptional security & firewalling services such as Application Visibility & Control, FirePower Analytics & Automation, Advanced Malware Protection (AMP) & Sandboxing, plus Web-based URL filtering, all in one box.

While most of these additional FirePOWER services are subscription based, meaning companies will need to fork out additional money, they do offer significant protection and control and help to reduce administrative complexity.

Customers utilizing Cisco’s Intrusion Prevention System (IPS) or FirePOWER services also have the option of the Cisco FireSIGHT Management Center – a solution used to centrally manage network security. Cisco’s FireSIGHT allows network administrators, security engineers and IT Managers to monitor events, analyse incidents, obtain detailed reporting and much more, from a single intuitive web-interface.

Figure 3. The Cisco FireSIGHT Management Center Graphical Interface

It’s evident that Cisco is marketing its ASA 5500-X series with FirePOWER services as its flagship network security & threat protection solution, which is why Firewall.cx will be covering the Cisco FirePOWER & FireSIGHT Management Center configuration in great depth in upcoming articles.

In recent years, we’ve seen Cisco tightly integrate separate security technologies such as Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) within the ASA Firewall appliances in the form of hardware module add-ons (older 5500 series & newer 5500-X series) and, recently, software modules supported only by the newer ASA 5500-X series security appliances.

With the addition of the software or hardware module, customers are able to increase the firewall’s security and protection capabilities while at the same time simplifing security management and administration by dealing with a single firewall device instead of multiple firewall, IPS or IDS devices.

While this article covers the hardware modules available for the Cisco ASA 5500 Firewall series, upcoming articles will cover both software and hardware modules along with Cisco FirePOWER & FireSIGHT management services for the newer ASA 5500-X series.

Note: The Cisco ASA 5500 series hardware modules for ASA-5505, ASA 5510, ASA 5520 & ASA 5540 have been announced as End-of-Sale & End-of-Life. Modules below are no longer sold or supported by Cisco. Last day of support was 30^th of September 2018.

Users interested in the newer ASA 5500-X IPS, Context-Aware and FirePOWER services can read our article Cisco ASA 5500-X Series Firewall with IPS, ASA CX & FirePower Services. Application Visibility and Control (AVC), Web Security, Botnet Filtering & IPS / IDS.

Hardware Modules For ASA 5500 Series Firewalls

The ASA 5500 series Firewalls (ASA-5505, ASA 5510, ASA 5520, ASA 5540 etc) were the first security appliances with the capability to integrate hardware modules for enhanced security and threat protection.

To help target different markets and security requirements, Cisco split its hardware module offerings into two distinct categories:

• Content Security and Control Security Services (CSC-SSM)
• Advanced Inspection and Prevention Security Services (AIP-SCC & AIP-SSM)

Each hardware module card is equipped with its own CPU, RAM and Flash storage space, running a separate operating system that integrates with the ASA Firewall via its internal network ports.

Let’s take a brief look at each category.

The Content Security & Control Security Services Modules

The Content Security and Control Security Services module aims to cover corporate environments where comprehensive malware, advanced content filtering (including Web Caching, URL filtering, anti-phishing), and anti-spam filtering is required. This all-in-one hardware module solution is capable of providing a wealth of security and control capabilities essential for all size networks.

Following are the hardware modules supporting Content Security and Control Security Services:

• CSC-SSM-10: For ASA 5510 & ASA 5520. Initial support for 50 users, upgradable up to 500 users
• CSC-SSM-20: For ASA 5510, ASA 5520 & ASA 5540. Initial support for 500 users, upgradable up to 1000 users

The CSC-SSM-10 & CSC-SSM-20 modules look identical. Shown below is the CSC-SSM-20 module:

Figure 1. The Cisco CSC-SSM-20 hardware module for the ASA 5500 series Firewalls

Users requiring additional information on the Cisco CSC-SSM modules, including features, hardware specifications, licenses, and support contracts (Smartnet), can download the Cisco ASA 5500 Series Content Security and Control Security Services datasheet from our Cisco ASA 5500 Product Datasheets and Guides download section.

The Advanced Inspection & Prevention Security Services Modules

The Advanced Inspection and Prevention Security Services modules combine IPS and IDS threat protection with mitigation services aiming to protect and stop malicious traffic before it can affect the network. Updates for the modules occur up to every 5 minutes, ensuring real-time updates and effective protection from zero-day attacks.

Cisco ASA Firewall customers can choose between the following Advanced Inspection and Prevention Security Service modules depending on their ASA hardware platform:

• AIP SCC-5:For ASA 5505. 1 Virtual sensor. 75Mbps concurrent threat mitigation throughput.
• AIP SSM-10: For ASA 5510 & ASA 5520. 4 Virtual sensors. Up to 225Mbps concurrent threat mitigation throughput depending on ASA model.
• AIP SSM-20: For ASA 5520 & ASA 5540. 4 Virtual sensors. Up to 500Mbps concurrent threat mitigation throughput depending on ASA model.
• AIP SSM-40: For ASA 5520 & ASA 5540. 4 Virtual sensors. Up to 650Mbps concurrent threat mitigation throughput depending on ASA model.

Figure 2. The Cisco ASA Firewall AIP SSC-5, AIP SSM-20 and AIP SSM40 IPS hardware modules

Users requiring additional information on the Cisco AIP SSC-5 & AIP-SSM modules, including features, hardware specifications, licenses, and support contracts (Smartnet), can download the Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services module and card datasheet from our Cisco ASA 5500 Product Datasheets and Guides download section.

Summary

The ASA 5500 Firewall series hardware modules offer a substantial number of network security enhancements making them ideal for corporate environments with sensitive data, in-house webservers and multiple VLANs & VPN networks. Their ability to provide advanced malware threat protection, URL filtering and IPS / IDS services make them the ideal upgrade for any ASA 5500 series Firewall adding true value to protecting and mitigating security threats.

What’s interesting is that NAT Reflection is not supported by all firewall appliances, however Cisco ASA Firewalls provide 100% support, making any NAT scenario possible. NAT Reflection is also seen at implementations of Cisco’s Telepresence systems where the ExpressWay-C server on the internal network needs to communicate with the ExpressWay-E server in the DMZ zone using its public IP address.

Note: Users seeking additional information on Network Address Translation concepts can visit our dedicated NAT Section that covers NAT in great depth.

Single 3-Port/Leg Firewall DMZ With One LAN Interface ExpressWay-E Server

In the example below, ExpressWay-C with IP address 192.168.1.50 needs to access ExpressWay-E (DMZ zone, IP address 192.168.5.5) using its public IP address of 203.40.40.5. This type of setup also happens to be one of the two most popular configurations:

Figure 1. NAT Reflection on a 3-Port ASA Firewall with Cisco Telepresence (ExpressWay-C & ExpressWay-E)

ExpressWay-C packets traversing the ASA Firewall destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:

• Destination IP address 203.40.40.5 is replaced with Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
• The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.1 – ASA’s DMZ interface IP address. This is also known as Source NAT (SNAT).

When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.1, Destination IP: 192.168.5.5

Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.1) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:

For ASA Versions 8.3 and later:

NOTE: After the NAT command is applied you will receive the two above warning messages.

The last line in our ASA configuration performs Source NAT and Destination NAT in one command.

For ASA Versions 8.2 and earlier:

access-list INT-DMZ-IN extended permit ip host 192.168.1.50 host 203.40.40.5
static (inside,DMZ) interface access-list INT-DMZ-IN
!
access-list INT-DMZ-IN extended permit ip host 192.168.5.5 host 192.168.5.1
static (DMZ,inside) 203.40.40.5 access-list INT-DMZ-IN

As shown, there are two levels of NAT occurring for this scenario, both required by the Cisco Telepresence - ExpressWay infrastructure.

Dual 2-Port/Leg Firewalls DMZ With One LAN Interface ExpressWay-E Server

The second most popular setup involves two firewalls, one protecting our LAN (Firewall 2) and one protecting our DMZ (Firewall 1) while also limiting traffic hitting our LAN firewall:

Figure 2. NAT Reflection on a 2-Port ASA Firewall with DMZ for Cisco Telepresence (ExpressWay-C & ExpressWay-E)

In this slightly more complex setup, Firewall No.1 is where we apply NAT Reflection to inbound traffic from ExpressWay-C server destined to ExpressWay-E’s public IP address 203.40.40.5.

It’s important to note that returning traffic from ExpressWay-E to ExpressWay-C will have to pass through Firewall 1 again. If an attempt is made to direct returning traffic through Firewall 2 (bypassing Firewall 1) e.g via a static route, then we’ll have a condition known as Asymmetric Routing, possibly causing disruptions in the communication between the two servers.

Note: Asymmetric Routing occurs when returning traffic between two hosts does not follow the same route as the original traffic. This condition is not favored by Firewalls as they track traffic and expect returning traffic to follow the same path originally taken.

Firewall No.1 is also configured with a one-to-one static NAT mapping, directing all traffic towards 203.40.40.5 to 192.168.5.5.

ExpressWay-C packets traversing ASA Firewall 1 destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:

• Destination IP address 203.40.40.5 is replaced with Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
• The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.2 – Firewall 1’s internal interface IP address. This is also known as Source NAT (SNAT).

Firewall 2 does not perform any NAT for traffic between ExpressWay-C and ExpressWay-E. When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.2, Destination IP: 192.168.5.5

Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.2) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:

For ASA Versions 8.3 and later:

NOTE: After the NAT command is applied you will receive the two above warning messages.

The last line in our ASA v8.3 and later configuration performs Source NAT and Destination NAT in one command.

For ASA Versions 8.2 and earlier:

Summary

NAT Reflection (NAT Loopback or Hairpinning) is a fairly new NAT concept to most but as we’ve seen it’s a fairly easy one to understand. Implementations of NAT Reflection are slowly becoming popular due to the new and complex technologies that require this type of NAT functionality – Telepresence and video conferencing being one of them. We covered NAT Reflection for the two most popular Firewall configurations including diagrams and ASA Firewall configuration commands.

The Cisco AnyConnect SSL VPN has become the VPN standard for Cisco equipment, replacing the older Cisco IPSec VPN Client. With the introduction of the newer 4.x AnyConnect, Cisco has made dramatic changes to their licensing and features supported. Our Cisco AnyConnect 4.x Licensing article explains the differences with the newer 4.x licensing and has all the details to help organizations of any size migrate from 3.x AnyConnect to 4.x. You’ll also find the necessary Cisco ordering codes along with their caveats.

Figure 1. Cisco AnyConnect v4.x

The latest AnyConnect client at the time of writing is version 4.2.02075, which is available for Cisco customers with AnyConnect Plus or Apex licenses. Cisco provides both head-end and standalone installer files. The head-end files (.pkg extension) are deployed on the Cisco ASA Firewall and automatically downloaded by the VPN clients once authenticated via the web browser.

Uploading AnyConnect Secure Mobility Packages To The ASA Firewall

Images can be uploaded to the Cisco ASA Firewall via a standard tftp client using the copy tftp flash: command:

We repeat the same commands until all 3 files have been uploaded so we can fully support Windows, Linux and MAC OS clients.

Using the dir command at the end of the process confirms all files have been successfully uploaded to our ASA Firewall:

Registering The New AnyConnect Packages

Assuming AnyConnect is already configured on your ASA Firewall, registering the new packages is a very simple process. In the near future, we’ll be including a full guide on how to setup AnyConnect Secure Mobility on Cisco ASA Firewalls.

Enter configuration mode and in the webvpn section add the following commands:

When dealing with multiple clients (supported platforms) of AnyConnect, assign an order to the client images using the numbers (1, 2, 3) at the end of each package command as shown above.

Previous versions of AnyConnect packages (.pkg) can be removed from the configuration by using the no anyconnect image disk0:/anyconnect-win-xxxxx-k9.pkg command.

Verifying The New AnyConnect Packages

As a final step, we can verify that the AnyConnect packages have been successfully installed using the show webvpn anyconnect command:

This completes the upgrade process of AnyConnect Secure Mobility Client on an ASA Firewall Security appliance. We saw all CLI commands involved to upload and register the new AnyConnect packages, remove the old AnyConnect packages and finally verify the packages are correctly registered for usage.

All AnyConnect licenses prior to version 4 had the AnyConnect Essentials and Premium licensing scheme. The newer v4.x AnyConnect licenses now have one of the three licensing options:

• Cisco AnyConnect Plus License (Subscription Based)
• Cisco AnyConnect Plus Perpetual License (Permanent – no subscription)
• Cisco AnyConnect Apex License (Subscription Based)

With the new AnyConnect licenses, Cisco has moved to a subscription-based licensing model which means customers will unfortunately need to fork out more money in the long run.  The Plus Perpetual License on the other hand allows Cisco customers to purchase a one-time license, however the license costs significantly higher than the subscription-based license.

We should also note that AnyConnect 4.0 is not licensed based on simultaneous connections (like the previous AnyConnect 3.x), but is now user-based. This means a user connecting via his smartphone and laptop simultaneously will only occupy a single license.

Since the newer AnyConnect licenses are subscription-based, according to Cisco, if their subscription expires and is not renewed, they will stop working.
 
Cisco AnyConnect Secure Mobility Client 4.0 supports the following operating systems:

• Windows 8.1 (32bit & 64Bit)
• Windows 8 (32bit & 64Bit)
• Windows 7 (32bit & 64Bit)
• Linux Ubuntu 12.X 64Bit
• Linux RedHat 6 64Bit
• Mac OS X 10.10 – 10.8

As expected, Windows XP is no longer supported.

Let’s take a look at each license feature and how the older AnyConnect Essentials and Premium licenses map to the newer AnyConnect Plus and Apex licenses:

Figure 1. Mapping AnyConnect 3.x Essentials & Premium to AnyConnect 4.x Plus & Apex

Related AnyConnect Articles on Firewall.cx:

• Configuring Cisco SSL VPN AnyConnect 3.x (WebVPN) on Cisco IOS Routers
• WEB SSL VPN - The Next Wave Of Secure VPN Services

Cisco AnyConnect Plus License (Old Essentials License) 5, 3 or 1-Year Term

The AnyConnect Plus License is a subscription-based license with the option of a 5, 3 or 1-year renewable subscription and supports the following features:

• VPN Support for Devices. Includes Workstations and Laptops.
• Secure Mobility Client support (AnyConnect Mobile). Includes mobile phones, tablets etc.
• SSL VPN (Client-based)
• Per-app VPN. Authorize specific applications access the VPN.  Supports specific devices and software.
• Basic endpoint context collection
• IEEE 802.1X Windows supplicant
• Cisco Cloud Web Security agent for Windows & Mac OS X platforms
• Cloud Web Security and Web Security Appliance support
• Cisco Advanced Malware Protection for Endpoints Enabler. AMP for Endpoints is licensed separately
• Network Access Manager
• Federal Information Processing Standards (FIPS) Compliance

It is worth noting that AnyConnect 3.x required the purchase of Essentials or Premium license + AnyConnect Mobile (L-ASA-AC-M-55xx) in order to support mobile devices (Smartphones, Tablets etc.).  AnyConnect Mobile is now integrated into the new AnyConnect Plus license.

Cisco AnyConnect Plus Perpetual (permanent) License

The AnyConnect Plus Perpetual license supports the same features as the Plus license above, but with the difference that it is a permanent license.
 
The customer purchases it once and does not have any subscription services, however it is still required to purchase a software application support plus upgrade (SASU) contract. This is covered in detail at the end of this article.

Customers considering the Plus Perpetual license should compare costs with the subscription-based license to see if it is worth going down that path.

Cisco AnyConnect Apex License (Old Premium License)

The AnyConnect Apex License includes all offerings in the AnyConnect Plus license plus the following:

• All AnyConnect Plus features
• Clientless (browser-based) VPN Termination on the Cisco ASA Firewall appliance
• VPN compliance and posture agent in conjunction with the Cisco ASA Firewall appliance
• Unified compliance and posture agent in conjunction with the Cisco Identity Services Engine (ISE) 1.3 or later
• Support for stronger Next-generation encryption (Suite B)

The AnyConnect Apex license is only available as a subscription-based license. There is no perpetual license available.
 
The Next Generation Suite B encryption supports the following stronger encryption standards:

• Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits.
• Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
• Elliptic Curve Diffie–Hellman (ECDH) — key exchange agreement
• Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest

Purchasing AnyConnect Licenses & Important Notes – Understand SAS & SASU For AnyConnect

While AnyConnect licensing has been simplified, there are still a few important areas we must be aware of to avoid licensing and future upgrade issues.

Before we dive in, we need to clarify what Software Application Support (SAS) and Software Application Support plus Upgrade (SASU) is because they are required with AnyConnect licenses:

SAS:  Provides access to Cisco’s latest software application updates (e.g AnyConnect, VPN Client software). SAS also includes minor release updates (e.g. AnyConnect 4.0 to 4.1 upgrade) and 24-hour technical assistance from Cisco TAC (Only for the specific software/application) and unrestricted access to online tools.

SASU: Includes everything provided in SAS, plus major upgrade release of the software e.g from AnyConnect 4.x to AnyConnect 5.x (when available).

When purchasing AnyConnect Plus or AnyConnect Apex subscription-based licenses, SASU is already included and is not required to be purchased separately.
 
When purchasing AnyConnect Plus Perpetual licenses, SASU must be purchased.  To do so, you need to order the following:

1. Order the Cisco AnyConnect Plus Perpetual License (L-AC-PLS-P-G) which has no cost ($0)
2. Add the User License required e.g Cisco AnyConnect Plus - Perpetual License/25 users (AC-PLS-P-25-S)
3. Add the SASU product for the selected User License (AC-PLS-P-25-S). In our example the SASU product will be CON-SAU-ACPL25. It is also necessary to specify the duration of the contract (1 – 60 months). The longer the duration, the larger the cost.

Full product ID’s for AnyConnect Plus, Plus Perpetual and Apex licenses along with all subscriptions and SASU products are available in the Cisco AnyConnect Ordering Guide freely available from our Cisco Product Datasheets & Guides section.

Below we are including a list of the maximum VPN peers/sessions supported by each ASA Firewall appliance to help customers decide the amount of AnyConnect licenses they require:

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Cisco ASA Next Generation Platform (X) VPN Peers / Sessions

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2,500
5555-X = 5,000
5585-X = 10,000

Cisco AnyConnect Plus, AnyConnect Apex Migration Licenses

Cisco customers who purchased AnyConnect Essentials, Premium and Shared Premium licenses prior to March 2 2015, can transition to the new Plus/Apex licenses by ordering the Plus/Apex Migration subscription licenses for 5, 3 or 1-year term.

The last day to purchase AnyConnect Migration licenses is 31st of December 2015.

The AnyConnect Migration license product IDs are available in the Cisco AnyConnect Ordering Guide freely available from our Cisco Product Datasheets & Guides section.

This article explained the new Cisco AnyConnect 4.x licensing model. We analysed the three new simplified licensing options AnyConnect Plus, Plus Perpetual and AnyConnect Apex, including the features each license supports and how they map to the old Essentials and Premium licenses. We covered the operating systems supported by AnyConnect 4.x, ordering product IDs and analysed the SASU services required with AnyConnect Perpetual  licenses, AnyConnect Migration licenses while also noting the maximum VPN sessions supported by all available ASA Firewall appliances.

While many consider the Cisco ASA Firewalls complex and difficult to configure devices, Firewall.cx aims to break that myth and show how easy you can setup an ASA Firewall to deliver basic and advanced functionality. We’ve done it with other Cisco technologies and devices, and we’ll do it again :)

The table below provides a brief comparison between the different ASA5500 series security appliances:

Users can also download the complete technical datasheet for the Cisco ASA 5500 series firewalls by visiting our Cisco Product Datasheet & Guides Download section.

Perhaps one of the most important points, especially for an engineer with limited experience, is that configuring the smaller ASA 5505 Firewall does not really differ from configuring the larger ASA5520 Firewall. The same steps are required to setup pretty much all ASA 5500 series Firewalls – which is Great News!

The main differences besides the licenses, which enable or disable features, are the physical interfaces of each ASA model (mainly between the ASA 5505 and the larger 5510/5520) and possibly modules that might be installed. In any case, we should keep in mind that if we are able to configure a small ASA5505 then configuring the larger models won’t be an issue.

At the time of writing of this article Firewall.cx came across a Cisco ASA5505, so we decided to put it to good use for this article, however, do note that all commands and configuration philosophy is the same across all ASA5500 series security appliances.

ASA5500 Series Configuration Check-List

We’ve created a simple configuration check-list that will help us keep track of the configured services on our ASA Firewall. Here is the list of items that will be covered in this article:

• Erase existing configuration
• Configure Hostname, Users, Enable password & Disable Anonymous Reporting
• Configure interface IP addresses or Vlan IP addresses (ASA5505) & Descriptions
• Setup Inside (private) & Outside (public) Interfaces
• Configure default route (default Gateway) & static routes
• Configure Network Address Translation (NAT) for Internal Networks
• Configure ASA DHCP Server
• Configure AAA authentication for local database user authentication
• Enable HTTP Management for inside interface
• Enable SSH & Telnet Management for inside and outside interfaces
• Create, configure and apply TCP/UDP Object-Groups to firewall access lists
• Configuration of access-lists for ICMP packets to the Internet
• Apply Firewall access lists to ‘inside’ and ‘outside’ interfaces
• Configure logging/debugging of events and errors

Note: it is highly advisable to frequently save the ASA configuration to ensure no work is lost in the event of a power failure or accident restart.

Saving the configuration can be easily done using the write memory command:

Erasing Existing Configuration

This first step is optional as it will erase the firewall’s configuration. If the firewall has been previously configured or used it is a good idea to start off with the factory defaults. If we are not certain, we prefer to wipe it clean and start from scratch.

Once the configuration is deleted we need to force a reboot, however, take note that it’s important not to save the system config to ensure the running-config is not copied to the startup-config otherwise we’ll have to start this process again:

Configure Hostname, Users, 'Enable' Password & Disable Anonymous Reporting

Next, we need to configure the Enable password, required for privileged exec mode access, and then user accounts that will have access to the firewall. 

The ASA Firewall won’t ask for a username/password when logging in next, however, the default enable password of ‘cisco’, will be required to gain access to privileged mode:

The privilege 15 parameter at the end of the command line ensures the system is aware that this is an account with full privileges and has access to all configuration commands including erasing the configuration and files on the device’s flash disk, such as the operating system.

Configure Interface IP addresses / VLAN IP Addresses & Descriptions

Depending on the ASA appliance we have, we can configure physical interfaces (inside/outside) with IP addresses, usually done with ASA5510 and larger models,  or create VLANs (inside/outside) and configure them with IP addresses, usually with the smaller ASA5505 models.

In many cases network engineers use VLAN interfaces on the larger ASA5500 models, however, this depends on the licensing capabilities of the device, existing network setup and more.

In the case of the ASA5505 we must use VLAN interfaces, which are configured with their appropriate IP addresses and then (next step) characterised as inside (private) or outside (public) interfaces:

The setroute parameter at the end of the command will ensure the ASA Firewall sets its default route (gateway) using the default gateway parameter the DHCP server provides.

After configuring VLAN1 & VLAN2 with the appropriate IP addresses, we configured ethernet 0/0 as an access link for VLAN2 so we can use it as a physical public interface.  Out of the 8 total Ethernet interfaces the ASA5505 has, at least one must be set with the switchport access vlan 2 otherwise there won’t be any physical public interface on the ASA for our frontend router to connect to. Ethernet ports 0/1 to 0/7 must also be configured with the no shutdown command in order make them operational. All of these ports are, by default, access links for VLAN1. Provided are the configuration commands for the first two ethernet interface as the configuration is identical for all:

Setup Inside (private) & Outside (public) Interfaces

Next, we must designate the Inside (private) and Outside (public) interfaces. This step is essential and will help the ASA Firewall understand which interface is connected to the trusted (private) and untrusted (public) network:

The ASA Firewall will automatically set the security level to 100 for inside interfaces and 0 to outside interfaces.  Traffic can flow from higher security levels to lower (private to public), but not the other way around (public to private) unless stated by an access-lists. 

To change the security-level of an interface use the security-level xxx command by substituting xxx with a number from 0 to 100. The higher the number, the higher the security level.  DMZ interfaces are usually configured with a security level of 50.

It is extremely important the necessary caution is taken when selecting and applying the inside/outside interfaces on any ASA Firewall.

Configure Default Route (default gateway) & Static Routes

The default route configuration command is necessary for the ASA Firewall to route packets outside the network via the next hop, usually a router. In case the public interface (VLAN2) is configured using the ip address dhcp setroute command, configuration of the default gateway is not required.

For networks with multiple internal VLANs, it is necessary to configure static routes to ensure the ASA Firewall knows how to reach them. Usually these networks can be reached via a Layer3 switch or an internal router.  For our example, we’ll assume we have two networks: 10.75.0.0/24 & 10.76.0.0/24 which we need to provide Internet access to. These additional networks are contactable via a Layer3 device with IP address 10.71.0.100:

Configure Network Address Translation (NAT) For Internal Networks

This is the last step required to successfully provide Internet access to our internal networks. Network Address Translation is essential to masquerade our internal network using the single IP address our Public interface has been configured with.  Network Address Translation, along with all its variations (Static, Dynamic etc), is covered in great depth in our popular Network Address Translation section.

We should note at this point that NAT configuration has slightly changed with ASA software version 8.3 and above. We will provide both commands to cover installations with software version up to v8.2.5 and from v8.3 and above.

The following commands apply to ASA appliances with software version up to 8.2.5:

In the above configuration, the ASA Firewall is instructed to NAT all internal networks using the NAT Group 1. The number ‘1’ is used to identify the NAT groups for the NAT process between the inside and outside interfaces.

The global (outside) 1 interface command instructs the ASA Firewall to perform NAT using the IP address assigned to the outside interface.

Another method of configuring NAT is with the use of access lists. In this case, we define the internal IP addresses to be NAT’ed with the use of access lists:

NAT with the use of access lists provides greater flexibility and control which IP addresses or networks will use the NAT service.

With software version 8.3 and newer, things have changed dramatically and there are no more access lists in NAT configuration lines.

The new NAT format now utilizes "object network", "object service" and "object-group network" to define the parameters of the  NAT  configuration.

The following commands (software version 8.3 and above) will provide NAT services to our internal networks so they can access the Internet:

Configuring The ASA DHCP Server

The existence of a DHCP server is necessary in most cases as it helps manage the assignment of IP address to our internal hosts. The ASA Firewall can be configured to provide DHCP services to our internal network, a very handy and welcome feature.

Again, there are some limitations with the DHCP service configuration which vary with the ASA model used. In our ASA5505, the maximum assigned IP addreses for the DHCP pool was just 128!

Note that the DHCP service can run on all ASA interfaces so it is necessary to specify which interface the DHCP configuration parameters are for:

Once configured, the DHCP service will begin working and assigning IP addresses to the clients. The Gateway IP address parameter is automatically provided to client and is not required to be configured on the ASA Firewall appliance.

We can verify the DHCP service is working using the show dhcpd statistics command:

If required, we can clear the DHCP bindings (assigned IP addresses) using the clear dhcpd binding command.

Configure AAA Authentication For Local Database User Authentication

Configuring AAA authentication is always a good idea as it instructs the ASA Firewall to use the local user database for the various services it's running. For example, we can tell the ASA Firewall to use a radius server for VPN user authentication, but use its local database for telnet, ssh or HTTP (ASDM) management access to the Firewall appliance.

As mentioned, our example instructs the ASA Firewall to use its local database:

Enable HTTP Management For Inside Interface

We now turn to the management settings of our ASA Firewall to enable and configure HTTP management. This will allow access to the Firewall’s management via the popular ASDM management application:

The above commands enable HTTP management on the ASA Firewall only for the network 10.71.0.0/24.

Enable SSH & Telnet Management For Inside & Outside Interfaces

Enabling SSH and Telnet access to the Cisco Firewall is pretty straightforward. While we always recommend the use of SSH, especially when accessing the Firewall from public IPs, telnet is also an option, however, we must keep in mind that telnet management methods do not provide any security as all data (including username, passwords and configurations) are sent in clear text.

Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any such step as it does not provide any encryption or security:

Note that the ASA Firewall appliance will only accept SSH connections from host 200.200.90.5 arriving on its public interface, while SSH and telnet connections are permitted from network 10.71.0.0/24 on  the inside interface.

Create, Configure & Apply TCP/UDP Object-Groups

An essential part of any firewall configure is to define the Internet services our users will have access to. This is done by either creating a number of lengthy access lists for each protocol/service and then applying them to the appropriate interfaces, or utilising the ASA Firewall Object-Groups which are then applied to the interfaces. Using Object-groups is easy and recommended as they provide a great deal of flexibility and ease of management.

The logic is simple:  Create your Object-Groups, insert the protocols and services required, and then reference them in the firewall access -lists. As a last step, we apply them to the interfaces we need.

Let’s use an example to help visualise the concept. Our needs require us to create two Object-Groups, one for TCP and one for UDP services:

Now we need to reference our two Object-groups using the firewall access lists. Here we can also define which networks will have access to the services listed in each Object-group:

Note that the 10.71.0.0/25 network has access to both Object-groups services, our other networks are restricted to only the services defined in the TCP Object-group. To understand how Object-groups help simplify access list management: without them, we would require 37 access lists commands instead of just 4!

Configuration Of Access-Lists For ICMP Packets To The Internet

To complete our access list configuration we configure our ASA Firewall to allow ICMP echo packets (ping) to any destination, and their replies (echo-reply):

Appling Firewall Access-Lists To ‘inside’ & ‘outside’ Interfaces

The last step in configuring our firewall rules involves applying the two access lists, inside-in & outside-in, to the appropriate interfaces. Once this step is complete the firewall rules are in effect immediately:

Configure Logging/Debugging Of Events & Errors

This last step in our ASA Firewall configuration guide will enable logging and debugging so that we can easily trace events and errors. It is highly recommended to enable logging because it will certainly help troubleshooting the ASA Firewall when problems occur.

The commands used above enable log in the debugging level (7) and sets the buffer size in RAM to 30,000 bytes (~30Kbytes).

Issuing the show log command will reveal a number of important logs including any packets that are processed or denied due to access-lists:

Summary

This article serves as an introduction configuration guide for the Cisco ASA5500 series Firewall appliances. We covered all necessary commands required to get any ASA5500 Firewall working and servicing network clients, while also explaining in detail all commands used during the configuration process.